Security Incidents mailing list archives
Re: Lion Worm/crew.tgz
From: "Michael H. Warfield" <mhw () WITTSEND COM>
Date: Sat, 24 Mar 2001 10:05:30 -0500
On Sat, Mar 24, 2001 at 11:16:40AM +0100, Andreas Östling wrote:
On Fri, 23 Mar 2001, Michael H. Warfield wrote:The "crew.tgz" egg that can be downloaded from coollion.51.net does not have the t0rn root kit. However, I have had one individual provide me a copy of a "crew.tgz" egg which very definitely DID contain the t0rn root kit in a directory lib/lib. What's on the URL http://coollion.51.net/crew.tgz seems to be roughly (some differences in a couple of the scripts, I believe) the contents of the lib/scan directory in the bigger egg (the one with t0rn included).
I've now got copies of both.
This is very confusing. Since you have two different versions, could you make them both available for download somewhere?
Here is the content of the http://coollion.51.net/crew.tgz version I dowloaded Mar 22 09:09.
$ tar tzvf crew.tgz drwxr-xr-x root/root 0 2001-02-26 00:31:51 lib/ drwxr-xr-x root/root 0 2001-02-26 01:46:52 lib/scan/ -rwxr-xr-x root/root 122 2001-02-26 01:46:39 lib/scan/1i0n.sh -rwxr-xr-x root/root 85 2001-02-21 04:22:10 lib/scan/hack.sh -rwxrwxr-x root/root 19033 2001-02-26 01:43:52 lib/scan/bind -rwxr-xr-x root/root 12331 2001-01-12 05:34:33 lib/scan/randb -rwxr-xr-x root/root 70 2001-02-21 04:22:44 lib/scan/scan.sh -rwxr-xr-x root/root 15715 2001-02-18 20:35:29 lib/scan/pscan -rwxr-xr-x root/root 114 2001-02-21 04:22:59 lib/scan/star.sh -rwxr-xr-x root/root 40 2001-02-21 04:21:50 lib/scan/bindx.sh -rw-rw-r-- root/root 0 2001-02-26 01:45:08 lib/scan/bindname.log -rwxr-xr-x root/root 53 2001-02-25 22:30:17 lib/1i0n.sh drwx------ root/root 0 2001-02-25 22:49:27 lib/lib/ -rwxr-xr-x root/root 53364 2000-02-27 18:44:41 lib/lib/netstat drwxr-xr-x root/root 0 2001-02-20 19:43:41 lib/lib/dev/ -rw-r--r-- xd_zhao/xd_zhao 75 2001-02-25 22:23:51 lib/lib/dev/.1addr -rw-r--r-- xd_zhao/xd_zhao 34 2001-02-21 02:21:10 lib/lib/dev/.1logz -rw-r--r-- xd_zhao/xd_zhao 158 2001-02-25 22:26:55 lib/lib/dev/.1proc -rw-r--r-- xd_zhao/xd_zhao 117 2001-02-25 22:25:08 lib/lib/dev/.1file -rwxr-xr-x root/root 6948 2000-02-27 18:44:41 lib/lib/t0rns -rwxr-xr-x root/root 22460 2000-02-27 18:44:41 lib/lib/du -rwxr-xr-x root/root 39484 2000-02-27 18:44:41 lib/lib/ls -rwxr-xr-x root/root 1345 2000-02-27 18:44:41 lib/lib/t0rnsb -rwxr-xr-x root/root 31336 2000-02-27 18:44:41 lib/lib/ps -rwxr-xr-x root/root 7578 2000-02-27 18:44:41 lib/lib/t0rnp -rwxr-xr-x root/root 57452 2000-02-27 18:44:41 lib/lib/find -rwxr-xr-x root/root 32728 2000-02-27 18:44:41 lib/lib/ifconfig -rwxr-xr-x root/root 4568 2000-02-27 18:44:41 lib/lib/pg -rw-r--r-- root/root 100424 2000-02-27 18:44:41 lib/lib/ssh.tgz -rwxr-xr-x root/root 266140 2000-02-27 18:44:41 lib/lib/top -rwxr-xr-x root/root 1382 2000-02-27 18:44:41 lib/lib/sz -rwxr-xr-x root/root 3964 2000-02-27 18:44:41 lib/lib/login -rwxr-xr-x root/root 6408 2000-02-27 18:44:41 lib/lib/in.fingerd -rwxr-xr-x root/root 8445 2001-02-25 23:12:08 lib/lib/1i0n.sh -rwxr-xr-x root/root 13184 2000-02-27 18:44:41 lib/lib/pstree -rwxr-xr-x root/root 35100 2000-02-27 18:44:41 lib/lib/in.telnetd -rwxr-xr-x root/root 16634 2000-02-27 18:44:41 lib/lib/mjy -rwsr-xr-x root/root 11934 2000-02-27 18:44:41 lib/lib/sush -rwxr-xr-x root/root 33820 2000-02-27 18:44:41 lib/lib/tfn -rwxr-xr-x root/root 19085 2000-02-27 18:44:41 lib/lib/name -rwxr-xr-x root/root 886 2001-02-25 22:48:32 lib/lib/getip.sh
Ok... I think this explains my mystery then. The egg on coollion.51.net has obviously been changed or delivered differently and resulted in different people getting different eggs. I learned of the smaller egg from another researcher at ICSA. We traded eggs and he told me that HE got HIS from coollion.51.net. I then downloaded the same thing and got what he got. I got the SMALL egg from coollion.51.net which only comprised what's in the "/lib/scan/" directory in your listing above and was identical to what he downloaded. You've apparently downloaded the big egg from coollion.51.net. You downloaded yours on March 22 while we each downloaded ours on March 23. I received the big egg on the night of March 22. Looks like maybe someone jerked the egg with the t0rn rootkit off line and replaced it with the smaller one. What's interesting is that if you examine the three "1i0n.sh" scripts in the big one you realize it's a "piggy back". You always execute the 1i0n.sh script. If it's the small egg, that's all it is. If it's the big egg, it's the same name, just a different script and it then executes the same name in each of the two subdirectories. So the "bind" exploit doesn't change but both eggs work and the small egg is just a simple subset of the big egg. I wonder why the big one got pulled...
Regards, Andreas Östling
Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Current thread:
- Lion Worm/crew.tgz Alfred Huger (Mar 23)
- Re: Lion Worm/crew.tgz David Brumley (Mar 23)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 23)
- Re: Lion Worm/crew.tgz Joshua Krage (Mar 23)
- Re: Lion Worm/crew.tgz Neil Long (Mar 24)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
- Re: Lion Worm/crew.tgz Dave Dittrich (Mar 26)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
- Re: Lion Worm/crew.tgz Daniel Martin (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)
- Message not available
- Re: Lion Worm/crew.tgz Chris Keladis (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)
- <Possible follow-ups>
- Re: Lion Worm/crew.tgz Roberto (Mar 24)
- Lion Worm/crew.tgz/suspect bind versions Lawrence Frewin of Accommodation.com (Mar 24)
- Re: Lion Worm/crew.tgz/suspect bind versions Valdis Kletnieks (Mar 26)
- Lion Worm/crew.tgz/suspect bind versions Lawrence Frewin of Accommodation.com (Mar 24)